HV2 Security Issues

The problem is that the content store is shared for all users and content consists of more than just text. The potential to include behaviors, scripts, etc. into content that could be left as a "sleeper" for future users/administrators to execute has made our security model more complex that I really like.

In VS 2010 our security model to handle this was to allow for administrators to delegate content install of certain types of content. The fact that only some content was allowed to be installed by non-administrators caused a lot of confusion and the general feedback we got was that you had to be administrator to install content since 3'rd party content was shipped in formats that we could not validate (e.g. MSHC files instead of signed CABs).

For Dev 11 (VS 2012) we have followed that feedback and now require all content install to be done from administrator. We also tried to take a look at the different enterprise deployment scenarios. The deployment you might want to work with IT department on would be to have a single content store on a UNC path that all instances of VS on your network use. That would allow for them to update once for the network. Alternately the update can be scripted as a command line and pushed to machines in a similar method as any MSI install.

If this is going to be a problem (e.g. your IT department cannot/will not manage content) please file a connect bug to have us re-evaluate our requirements. Also post the link to this thread so others can vote on it.

Sharing HV2 Content

The administrator's guide was written to be a reference guide for these types of problems. I'll do my best to cover your questions but if I miss something it might help.

For network share:The content store location is stored in a registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Help\v2.0\Catalogs\VisualStudio11\LocationPath for dev11). During scripted deployment of VS our expectation is that the store will be moved if desired. Doing this allows for an IT department to pick a standard location for help either on the machine or on a UNC path. For UNC we do advise having only one machine/user do the content administration however multiple machines can view content while this occurs.

There is always a risk of having the issue you describe, this could occur either on a local machine with multiple users or on a share. The network does add complexity that increases the chances. We tried to minimize the risk but I cannot guarantee you will never see the issue.

Here is what we are doing for content install:

When we install/update content the operation occurs in a separate folder from the normal content store. The last step of install is to move the files to the store. These files are versioned so there should be no collision with current files. Once the move is complete HlpCtntMgr raises an install complete message and goes idle for a few seconds so the viewers can reconnect and load the new files. After this idle time the previous files are deleted. If a file is still locked we leave it in place, all files that should be deleted will have a ".delete." file added to the content store subsequent content management runs will attempt to delete the file as well so eventually the lock should be gone and the file will be deleted.

For scripting:All content install is done from HelpCtntMgr.exe; this application takes command line switches. One of the possible operations is "refresh" that will check for updates against the endpoint and install them if available.

An error occurred while checking for updates: Microsoft.VisualStudio.Help.CacheLib.CacheLibServiceApiException: The web server has reported an error for http://services.mtps.microsoft.com/ServiceAPI/catalogs/VisualStudio11/en-US: ProtocolError/ProxyAuthenticationRequired

The help viewer does not negotiate proxy authentication. There have been a couple of different threads on ways to work around this on the forums.

Alternatively some people have reporting using fiddler to negotiate the proxy has been successful for them. The basic steps for that would be to install fiddler2 launch it, bring up a web browser and go to http://services.mtps.microsoft.com/ServiceAPI/catalogs/VisualStudio11/en-US. Fiddler will capture the proxy authentication and re-play it as appropriate. After this the help viewer should be able to comunicate through fiddler to the site.